Introduction to Hacking
- Introduction to Hacking
- History of Cryptography
- Why Privacy Matters
- Supercookies in the Wild
- Ultimate Guide to SSL for the Newbie
- How Internet Security and SSL Works
- Man in the Middle Hacking and Transport Layer Protection
- Cookie Security and Session Hijacking
- What is Cross Site Scripting? (XSS)
- What is Internal Implementation Disclosure?
- Parameter Tampering and How to Protect Against It
- What are SQL Injection Attacks?
- Protection Against Cross Site Attacks
The aim of this hacking and security tutorial series is to provide application developers with the knowledge of how exploits in their code can be used against the application and how a simple validation error can cause a data breach.
A Brief History of Hacking
The term hacking dates back to the early 1950's when it was a positive label given to a group of students at MIT who came up with some ingenious campus pranks. The pranks started way back in 1926 when a group of students "parked" a car on the wall the dormitory building. The term hacker was coined in the early 1950's when MIT computer gurus started to push computer systems beyond the defined limits. They would often find and exploit security holes into computer systems based purely on curiosity. Curiosity of what the system did, how the system could be used, how the system did what did, and why it did what it did.
Over time, these exploits were used for more sinister purposes, and hacking became a bad thing. Personal, confidential and money were stolen from computer systems and hackers were labelled the enemy. There are two main categories of hackers, white hat and black hat. White hat hackers, so called ethical hackers, attempt to breach security but don't perform any malicious acts. Instead they report their findings so that they vulnerability may be fixed and a reward given. Black hat hackers hack systems in a malicious way, either to deface a website, steal data or cause damage, physically, financially or through loss of reputation.
Introduction to Hacking
The tools and techniques presented here are not language or platform specific, it does not matter if you are writing a PHP application, ASP.Net Forms or MVC, nor if you use IIS, Apache, nginx or any other server technology. The practices are the same regardless.
It may surprise you to learn that all you really need to hack a website is Google Chrome, Firefox or IE with a developer tools and Fiddler, the free web debugging proxy. There other tools which offer a more automated, or brute force attempts, but the techniques are just as valid so I'll show you how Chromes developer tools combined with Fiddler can be used to identify risks and secure your website.
Google Chrome is my web browser of choice. Not only is it the fastest and lightest browser on the market, it also features a number of really useful developer options out the box. Additionally there is a large marketplace for third party plugins which further extend this functionality. Firefox is also a good browser and offers just as good developer tools and plugins, however I found over recent releases it was getting a bit bloated and slow. Although I use Google Chrome and Chrome Developer Tools in this article, the process is the same for using Firefox tools.
Pro Tip: Using Chromes "Incognito" mode is very handy as it automatically clears down all the cookies, cache and history information when the tab is closed. This means that when you open it up again, you are working with a fresh version of the site. All the past history is gone.
Google Chrome Developer Tools
Developer Tools are accessed using the F12 key. This will open up a new window (or a docked panel). There is a lot of stuff that goes on in the developer tools, but for this tutorial we are going to focus on Elements, Network and Resources.
The Elements tab breaks down the DOM (Document Object Model) and allows you to drill down into the HTML markup. You can also access the elements quickly by right clicking on the web page and selecting "Inspect Element" from the context menu. In the Elements tab you can directly manipulate the DOM and add or remove elements, attributes or values.
The Network tab allows you to view the network activity for the page. It lists all the request to the server, the files downloaded, timings for each request and status codes.
Finally, the resource tab shows things like images, css and fonts used, cookies for the page and anything that uses local storage. We can use this when we work with cookies later on.
For this tutorial there is a Chrome plugin that we are going to use. It's called Cookie Inspector and available on the Chrome web store. There are other plugins available, however I like this one because it integrates well with the developer tools. Cookie inspector will allow us to manipulate cookies set by a website and allow us to change the values before they are sent back to the website.
The other application we are going to be using is Fiddler. This application is a free HTTP debugging proxy, which basically means it captures HTTP traffic to and from your computer and a server. It allows you to inspect and analyse these captured requests and responses, look at the headers, any form data submitted and the body content. You can also compose your own HTTP requests and analyse the results from the server.